Home > Software design >  How does kubernetes do service address to endpoint pod address translation? use kube-proxy and NAT?
How does kubernetes do service address to endpoint pod address translation? use kube-proxy and NAT?

Time:10-10

I deployed a service myservice to the k8s cluster. Using kubectl describe serivce ..., I can find that the service ip is 172.20.127.114 . At the same time, the service endpoint is 10.34.188.30:5000,10.34.89.157:5000. How does Kubernetes handle service address to endpoint address translation? Does kube-proxy handle the NAT? Which linux module does kube-proxy use to handle NAT?

kubectl describe service myservice                                     

Name:              myservice
Namespace:         default
Labels:            app=myservice
                   app.kubernetes.io/instance=myservice
Annotations:       argocd.argoproj.io/sync-wave: 3
Selector:          app=myservice
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                172.20.127.114
IPs:               172.20.127.114
Port:              <unset>  80/TCP
TargetPort:        5000/TCP
Endpoints:         10.34.188.30:5000,10.34.89.157:5000
Session Affinity:  None
Events:            <none>

iptables is used for setting node firewall rules. My understanding is that iptables does not do NAT.

CodePudding user response:

This depends on type of service being used for ClusterIP from within the cluster are never source NAT'd. More details are k8s documentation

CodePudding user response:

I hope this helps you.

Pod to Pod communication

  • No built-in solution
  • Expects you to implement a networking solution
  • But impose fundamental requirements on any implementation to be pluggable into Kubernetes
K8s requirements of CNI Plugins
  • Every Pod gets its unique IP address
  • Pods on the same Node can Communicate with that IP address
  • Pods on different Node can Communicate with that IP address without NAT (Network Address Translation)

Kubernetes Networking Model

  • All nodes must be able to reach each other, without NAT
  • All pods must be able to reach each other, without NAT
  • Pods and nodes must be able to reach each other, without NAT
  • Each pod is aware of its IP address (no NAT)
  • Pod IP addresses are assigned by the network implementation

Summary

  • The "pod-to-pod network" or "pod network":
    • Provides communication between pods and nodes
    • Is generally implemented with CNI plugins
  • The "pod-to-service network":
    • Provides internal communication and load balancing
    • Is generally implemented with kube-proxy
  • Network policies:
    • Provide firewalling and isolation
    • Can be bundled with the "pod network" or provided by another component
  • Inbound traffic can be handled by multiple components:
    • Something like kube-proxy (for NodePort services)
    • Load balancers (ideally, connected to the pod network)
  • It is possible to use multiple pod networks in parallel (with "meta-plugins" like CNI-Genie or Multus)

Useful Links

Page link:https//www.codepudding.com/Softwaredesign/571168.html

Prev:Wait for a function to create modified Array
Next:How is Kubernetes Service IP assigned and stored?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding